SonarCloud rules versioning

Hi Community,

We are developing Medical Desktop Software in C++.
It is very important for us to have full development environment under control and revision.

One of important development steps is continuous static code analysis with SonarCloud. In order to have applied rules controlled (and not changed until we decide) we created our own Quality Profile, so when “Sonar Way” profile changes for C++ (adding/removing/obsoleting rules) our stays intact.

Even with having under control strict set of rules applied to our project, it is happening that suddenly new analysis finds bugs in the code that has not been changed for months. We assume that SonarCloud improves bug detection algorithms for each existing rule continuously, but we as a users are not notified when this happens.

Does SonarCloud have versioning system of rules/algorithms which are applied to the analysis run? How can it happen that same rule is suddenly finding bugs where they have not been found in previous runs?

Kind regards,
Senad

Hi @Senad,

Thanks for your message and sorry for the time it took to answer to you.

We regularly update and improve the code analyzers. Hence it is correct that improved analyzers may find issues that were not caught previously. One typical reason is that accuracy of analyzers is improved so that more true positives are found, and less false positives are raised.

SonarCloud provides the latest versions of the analyzers: you can’t lock onto a specific version. On the other hand, you continuously benefit from latest and greatest versions.

If you want to lock onto specific version of some analyzers, a solution could be to use SonarQube: you could then choose when to upgrade the product, along with its analyzers. It would still have to happen, but you would be in control. The flip of the coin then would be that you have to operate the product yourself and would not get continuous improvements.

I hope this clarifies and helps!
@AlxO

2 Likes